Tony Earnshaw wrote:
The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build machine. But when I put these ad lib into slapd.conf on the consumer, they don't.
What doesn't work after 'moduleload back_ldap.la':
overlay chain chain-uri ldap://mercurius.intern/ chain-idassert-bind bindmethod=simple binddn="cn=proxy,dc=barlaeus,dc=nl" credentials=secret mode=self
What do you mean "doesn't work"? Do you mean that it doesn't chain anonymous searches? Did you try an authenticated search? Anonymous operation chaining is implicitly disabled by the idassert-bind directive, as you can see from slapd-ldap(5).
If you want to let them thru anonymously you need to add "flags=non-prescriptive" to the idassert-bind statement; if you want anonymous to be asserted as anonymous as well, leave the idassert-bind statement as is, and add
chain-idassert-authzFrom "*"
chain-tls start
Apart from chain-tls, this is almost verbatim what the two tests use.
I finally noticed from the SLAPO-CHAIN man page, not having seen the wood for the trees, the following:
"Directives for configuring the underlying ldap database may also be required, as shown in this example:".
So I tried the example, and this chaining config does work on the consumer:
overlay chain chain-rebind-as-user FALSE
chain-uri ldap://mercurius.intern/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=proxy,dc=barlaeus,dc=nl" credentials=secret mode=self chain-tls start
Could someone please explain why the configuration for the two tests should pass, while it doesn't on my consumer, and why the config with the two chain-rebind-as-user stanzas does?
I don't think that adding chain-rebind-as-user really makes any difference, because rebinding as user makes no sense if you use identity assertion: the user is not going to rebind anyway, as its identity is going to be asserted. The only thing that could change is in case chaining implies further referral chasing, i.e. if while chaining the operation another referral is encountered.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------